Whenever I use my RSA key(when using ssh for example) I'm prompted for my passphrase. I would like to, instead of being prompted for it, if a "USB-Key" is plugged in, it would use it instead of the passphrase.

But if the USB is not plugged in, then would have a fallback to the passphrase prompt.

If there is a solution to this could someone point it to me? Or at least give me some keywords/links for me too refine my search for it?

3 Answers
3

Edit: Note that even Yubikey recommends not storing the entire key on the device...

From the Yubikey website:

Yubico recommends users to use the YubiKey in static password mode for
only part of their password. Users are recommended to manually enter a
simple and easy-to-remember first part of their password, then use the
YubiKey to enter a strong second part to their password. For example:
Users can set their password to
Sunny33rcltrcihbkkiulnveuenervidliliifv, where “Sunny33” is manually
entered by the users and “rcltrcihbkkiulnveuenervidliliifv” is stored
in and entered by the YubiKey

This sounds like a bad idea to me, since anybody finding/grabbing your USB stick can thereafter use your RSA key. The typical alternative would be using a smartcard (some are available in USB form factor), where application of the key is still protected by a PIN, so the factor "something-you-know" is still necessary. It may be possible, that the PIN needs to be entered only once per (smart card) session, i. e. as long as the card is in the reader.

I agree that storing the entire key on a device is a bad idea... Yubikey (see link in my answer) recommends breaking the key into a strong password (user-rememberable) and a machine-generated key so that both are required. I edited my answer to include that note
–
BrianAdkinsFeb 13 '13 at 13:45

You could store the password in a Keepass database stored with the RSA key and encrypt it with a keyfile which is on the USB stick. To make myself clear:

Your harddisk:

RSA key

encrypted Keepass database that requires a keyfile (consider EFS or LUKS/dmcrypt encryption on top of that if you think someone could both steal your USB key and access your harddisk)

Your USB key:

Keepass keyfile

The idea is that should you loose your USB key, it contains data that is useless without the harddisk, while you can still (hopefully) remember your RSA key's password.

If set up correctly, all you need to do is have Keepass running and use the USB key's keyfile, and when prompted for your password CTRL+ALT+A should enter your RSA key's passphrase. Depending on what you actually use that key for you can even store the RSA key directly in Keepass, e.g. for SSH via KeeAgent (requires KeePass 2.x) or PuttyAgent (for KeePass 1.x)